 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
mrhartsclube
Newbie cheater
![]() Reputation: 0
Joined: 03 Feb 2013
Posts: 15
|
|
| Back to top |
|
 |
ParkourPenguin
I post too much
 Reputation: 140
Joined: 06 Jul 2014
Posts: 4299
|
 Posted: Wed Nov 11, 2020 11:58 am Post subject: |
 |
|
MinBall / MaxBall are floats (5.517117 / 654.110291 respectively). Do the arithmetic using floating point numbers; don't convert them to integers immediately (especially not through reinterpretation of bits).
| mrhartsclube wrote: | | I find a number that just increases and because its using a trigonometric function sine, by increasing the number (angle) it gives the bucket back and forth movement between -1 and 1. but there is no such -1 and 1 number found so I'll go with the increasing one |
I see no mention of this in your code.
Sounds to me like one of your pointer paths gets messed up when the ball is fired. Check if the addresses they're pointing to are consistent, and do proper error handling for read* / write*. read* won't return anything on error (vars are nil); write* will return true/false depending on whether or not the call to WPM succeeded (on some exception, it returns nothing).
If the pointer paths are fine, perhaps one of the addresses they're pointing to isn't used after the ball is fired. Look at what instructions access the addresses being pointed to. If nothing is reading from them after the ball is fired, it's not the right address.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
mrhartsclube
Newbie cheater
![]() Reputation: 0
Joined: 03 Feb 2013
Posts: 15
|
|
| Back to top |
|
|
ParkourPenguin
I post too much
Reputation: 140
Joined: 06 Jul 2014
Posts: 4299
|
| Posted: Wed Nov 11, 2020 11:25 pm Post subject: |
|
|
| mrhartsclube wrote: | | That's the part I wrote Integer into memory... |
If the actual x coordinate is the sine of that value, you should be using the inverse sine function somewhere. Graph the points and come up with a sinusoid that's a good fit (e.g. desmos; type "table" to get a table); then, find the inverse of that function.
But this might not be that pragmatic. If it works, it works, and you can forget about this; if it's slightly off between the middle and the ends, this is likely the problem.
I'm glad you discovered what's wrong and I hope you can find a solution for it. As an alternative to pointers, code injection can be used to get an address (search for "injection copy").
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
mrhartsclube
Newbie cheater
![]() Reputation: 0
Joined: 03 Feb 2013
Posts: 15
|
|
| Back to top |
|
|
ParkourPenguin
I post too much
Reputation: 140
Joined: 06 Jul 2014
Posts: 4299
|
| Posted: Fri Nov 13, 2020 1:26 pm Post subject: |
|
|
| Code: | fld dword ptr [ebp+08] - push an argument on the fpu stack
fld st(0) - duplicate that value (new top value)
fadd dword ptr [ecx+000000F4] - add the float at this address to the top value
fstp dword ptr [ecx+000000F4] - store the top value at that address and pop it from the fpu stack
fld dword ptr [ecx+000000F8] - push something else
fld dword ptr [ebp+0C] - push another argument to this function
|
I'm assuming the fstp instruction writes the value of the bucket's x-coordinate. Make sure it doesn't write to anything else (right click -> "Find out what addresses this instruction accesses").
Then just write a code injection and do whatever you want with it. e.g.:
| Code: | [ENABLE]
aobscan(bucketXInject, D9 C0 D8 81 F4 00 00 00 D9 99 F4 00 00 00) // make sure this is unique
alloc(newmem,2048)
alloc(bucketXval,4)
label(return)
registersymbol(bucketXInject)
registersymbol(bucketXval)
newmem:
fld dword ptr [bucketXval]
jmp return
bucketXval:
dd (float)300.0
bucketXInject:
jmp newmem
nop
nop
nop
return:
[DISABLE]
bucketXInject:
db D9 C0 D8 81 F4 00 00 00
dealloc(newmem)
dealloc(bucketXval)
unregistersymbol(bucketXInject)
unregistersymbol(bucketXval)
{
d9 45 08 fld dword ptr [ebp+8]
// injecting here
d9 c0 fld st(0)
d8 81 f4 00 00 00 fadd dword ptr [ecx+f4]
// done injecting
d9 99 f4 00 00 00 fstp dword ptr [ecx+f4]
d9 81 f8 00 00 00 fld dword ptr [ecx+f8]
d9 45 0c fld dword ptr [ebp+c]
} |
If you can find a good way of getting the ball's x-coordinate in this context that would be ideal to copy right into the bucket's x-coordinate. e.g. perhaps if you're really lucky [ecx+ec] is the ball's x-coordinate?
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
mrhartsclube
Newbie cheater
![]() Reputation: 0
Joined: 03 Feb 2013
Posts: 15
|
| Posted: Fri Nov 13, 2020 2:52 pm Post subject: |
|
|
| ParkourPenguin wrote: | | Code: | fld dword ptr [ebp+08] - push an argument on the fpu stack
fld st(0) - duplicate that value (new top value)
fadd dword ptr [ecx+000000F4] - add the float at this address to the top value
fstp dword ptr [ecx+000000F4] - store the top value at that address and pop it from the fpu stack
fld dword ptr [ecx+000000F8] - push something else
fld dword ptr [ebp+0C] - push another argument to this function
|
I'm assuming the fstp instruction writes the value of the bucket's x-coordinate. Make sure it doesn't write to anything else (right click -> "Find out what addresses this instruction accesses"). |
Thanks for the explanation, and yes its only writing on the bucket.
| ParkourPenguin wrote: | | If you can find a good way of getting the ball's x-coordinate in this context that would be ideal to copy right into the bucket's x-coordinate. e.g. perhaps if you're really lucky [ecx+ec] is the ball's x-coordinate? |
Thanks again for the script, however I have some questions, and I have the X-Ball coordinates pointer, that was the first pointer in my original LUA.
So this is how far I could go with your code and my incomplete knowledge  :
| Code: |
define(address,"PeggleNights.exe"+9A3C6)
define(bytes,D9 C0 D8 81 F4 00 00 00)
[ENABLE]
assert(address,bytes)
alloc(newmem,$1000)
alloc(bucketXval,4)
label(return)
registersymbol(bucketXval)
newmem:
fld dword ptr [bucketXval]
jmp return
bucketXval:
{$LUA}
MinBuck = 66.00
MaxBuck = 586.0
MinBall = 5.500
MaxBall = 643.3
Ratio = (MaxBall-MinBall)/(MaxBuck-MinBuck)
XBall = readFloat("[[[[PeggleNights.exe+002CBDD8]+30]+2C]+0]+EC")
XBuck = ((XBall-MinBall)/Ratio)+MinBuck
writeFloat(bucketXval,XBuck) <====
{$ASM}
address:
jmp newmem
nop 3
return:
[DISABLE]
address:
db bytes
dealloc(newmem)
dealloc(bucketXval)
unregistersymbol(bucketXval)
|
Well it seems registered symbol in assembly part cannot be used inside LUA, and I'm pretty confused with this code already!
Either I should use the code I pointed at, or I use something like "dd XBuck" after {$ASM}!
And I know for sure they both won't work! so is current code!
So how can I write XBuck into bucketXval? 
Oh I was about to forget; when I used dd (float)300.0, the bucket frozen in a place and its like nothing is there, the ball just goes over the bucket and a coin flip for free ball/no ball! funny thing is the screenshot I attached shows that the score backgrounds are also works with this address and I got no points even when the ball goes through the one with all backgrounds!!! I guess the code is only on screen bucket and also makes the real bucket disappear! because I shot balls to entire game width and I got no freeball for catching by the bucket! 
I'm most likely certain that something is wrong again!!
| Description: |
|
| Filesize: |
199.23 KB |
| Viewed: |
5665 Time(s) |
|
_________________
iMЯH |
|
| Back to top |
|
|
ParkourPenguin
I post too much
Reputation: 140
Joined: 06 Jul 2014
Posts: 4299
|
| Posted: Fri Nov 13, 2020 5:18 pm Post subject: |
|
|
| mrhartsclube wrote: | So this is how far I could go with your code and my incomplete knowledge:
code... |
{$lua} blocks in the auto assembler are analogous to a preprocessor directive. They're run before most other stuff is run (including registersymbol, I presume).
The easiest thing you can do is create a timer that writes the x coordinate to the symbol bucketXval - i.e. writeFloat("bucketXval", ...)
If you want to do it in assembly:
| Code: | define(address,"PeggleNights.exe"+9A3C6)
define(bytes,D9 C0 D8 81 F4 00 00 00)
[ENABLE]
assert(address,bytes)
alloc(newmem,$1000)
label(minBuck)
label(maxBuck)
label(minBall)
label(maxBall)
newmem:
push eax
mov eax,[PeggleNights.exe+002CBDD8]
mov eax,[eax+30]
mov eax,[eax+2c]
mov eax,[eax]
fld dword ptr [maxBall]
fld dword ptr [minBall]
fld dword ptr [maxBuck]
fld dword ptr [minBuck]
fld dword ptr [eax+EC]
fld dword ptr [minBall]
fld dword ptr [minBuck]
fxch st(1)
fsubp st(2),st(0)
fxch st(5)
fsubrp st(4),st(0)
fxch st(1)
fsubp st(2),st(0)
fxch st(1)
fdivp st(2),st(0)
fdivrp st(1),st(0)
faddp st(1),st(0)
pop eax
jmp return
newmem+800:
minBuck:
dd (float)66.0
maxBuck:
dd (float)586.0
minBall:
dd (float)5.5
maxBall:
dd (float)643.3
address:
jmp newmem
nop 3
return:
[DISABLE]
address:
db bytes
dealloc(newmem)
{
d9 45 08 fld dword ptr [ebp+8]
// injecting here
d9 c0 fld st(0)
d8 81 f4 00 00 00 fadd dword ptr [ecx+f4]
// done injecting
d9 99 f4 00 00 00 fstp dword ptr [ecx+f4]
d9 81 f8 00 00 00 fld dword ptr [ecx+f8]
d9 45 0c fld dword ptr [ebp+c]
}
|
I copied the x87 instructions from the output of a compiler- haven't tested it. You might overflow the x87 stack by pushing 7 values on it. Optimizing the code by hand should work, or you can probably use SSE instead:
| Code: | ...
newmem:
push eax
mov eax,[PeggleNights.exe+002CBDD8]
mov eax,[eax+30]
mov eax,[eax+2c]
mov eax,[eax]
movss xmm2,[maxBall]
movss xmm5,[minBall]
movss xmm0,[maxBuck]
movss xmm4,[minBuck]
movss xmm1,[eax+EC]
movss xmm6,[minBall]
subss xmm2,xmm5
movss xmm3,[minBuck]
subss xmm0,xmm4
subss xmm1,xmm6
divss xmm1,xmm2
mulss xmm0,xmm1
addss xmm0,xmm3
sub esp,4
movss [esp],xmm0
fld dword ptr[esp]
add esp,4
pop eax
jmp return
... |
(again, copied from a compiler, not tested)
| mrhartsclube wrote: | | I guess the code is only on screen bucket and also makes the real bucket disappear! |
Sounds like you found the wrong value. Keep searching and find one that actually works. If changing/freezing it normally in the address list doesn't work, changing it in Lua or assembly won't work either. You can still take what I wrote as an example to learn from if you want.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
mrhartsclube
Newbie cheater
![]() Reputation: 0
Joined: 03 Feb 2013
Posts: 15
|
| Posted: Sun Feb 20, 2022 8:53 pm Post subject: |
|
|
So I'm back again! I appear every two years 
I am old enough to raise so many expectation, so I can't cheat games all the time and it happens to happen every two years 
Anyhow, I used registersymbol to define both addresses as variable and I tried to use it in LUA in between my ASM code but it gives me "This instruction can't be compiled" while the code works correctly in LUA editor!
Also if it runs before everything, things gets complicated!
Here's my code:
BUCKET POSITION AND CALCULATIONS:
| Code: | define(address,"Peggle.exe"+79A8C)
define(bytes,8B 46 4C 51 D9 1C 24)
[ENABLE]
assert(address,bytes)
alloc(newmem,$1000)
alloc(xbucket,4)
label(pegsnui)
label(bucket)
label(return)
xbucket:
dd 0
newmem:
cmp [esi+10],3 // 3 is used for pegs but 5 and 2 used for UI and bucket
je pegsnui
mov [xbucket],eax // eax is the increasing value for the bucket
jmp bucket
pegsnui:
mov eax,[esi+4C]
bucket:
{$lua}
MinBuck = 150.0
MaxBuck = 450.0
MinBall = 5.500
MaxBall = 643.3
Ratio = (MaxBall-MinBall)/(MaxBuck-MinBuck)
XBall = readFloat '[xball]+EC'
XBucket = getAddressSafe '[xbucket]+4C'
XBuck = ((XBall-MinBall)/Ratio)+MinBuck
writeInteger(XBucket,math.floor(XBuck))
{$asm}
push ecx
fstp dword ptr [esp]
jmp return
address:
jmp newmem
nop 2
return:
registersymbol(xbucket)
[DISABLE]
address:
db bytes
dealloc(*)
unregistersymbol(*) |
BALL X POSITION
| Code: |
define(address,"Peggle.exe"+673E7)
define(bytes,D9 87 EC 00 00 00)
[ENABLE]
assert(address,bytes)
alloc(newmem,$1000)
alloc(xball,4)
label(code)
label(return)
xball:
dd 0
newmem:
mov [xball], edi
code:
fld dword ptr [edi+000000EC]
jmp return
address:
jmp newmem
nop
return:
registersymbol(xball)
[DISABLE]
address:
db bytes
dealloc(*)
unregistersymbol(*)
|
Now I expect the xball and xbucket can be calculated by the LUA code but I messed it up and I don't even know if the rest of the code works or not 
_________________
iMЯH |
|
| Back to top |
|
|
LeFiXER
Grandmaster Cheater Supreme
![]() Reputation: 20
Joined: 02 Sep 2011
Posts: 1055
Location: 0x90
|
| Posted: Mon Feb 21, 2022 4:13 am Post subject: |
|
|
| Code: |
define(address,"Peggle.exe"+79A8C)
define(bytes,8B 46 4C 51 D9 1C 24)
[ENABLE]
assert(address,bytes)
alloc(newmem,$1000)
alloc(xbucket,4)
label(pegsnui)
label(bucket)
label(return)
xbucket:
dd 0
newmem:
cmp [esi+10],3 // 3 is used for pegs but 5 and 2 used for UI and bucket
je pegsnui
mov [xbucket],eax // eax is the increasing value for the bucket
jmp bucket
pegsnui:
mov eax,[esi+4C]
bucket:
{$lua}
MinBuck = 150.0
MaxBuck = 450.0
MinBall = 5.500
MaxBall = 643.3
Ratio = (MaxBall-MinBall)/(MaxBuck-MinBuck)
XBall = readFloat '[xball]+EC'
XBucket = getAddressSafe '[xbucket]+4C'
XBuck = ((XBall-MinBall)/Ratio)+MinBuck
writeInteger(XBucket,math.floor(XBuck))
{$asm} // These directives must not have whitespace preceding them otherwise they count as a comment
push ecx
fstp dword ptr [esp]
jmp return
address:
jmp newmem
nop 2
return:
registersymbol(xbucket)
[DISABLE]
address:
db bytes
dealloc(*) // Using * in dealloc/unregistersymbol will deallocate all allocated memory/registered symbols
unregistersymbol(*) // Including those in other scripts
|
Perhaps that is the cause of your issue.
|
|
| Back to top |
|
|
Dark Byte
Site Admin
 Reputation: 458
Joined: 09 May 2003
Posts: 25295
Location: The netherlands
|
| Posted: Mon Feb 21, 2022 4:54 am Post subject: |
|
|
keep in mind that {$lua} only runs one time when the script is assembled
it won't execute again
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
mrhartsclube
Newbie cheater
![]() Reputation: 0
Joined: 03 Feb 2013
Posts: 15
|
|
| Back to top |
|
|
ParkourPenguin
I post too much
Reputation: 140
Joined: 06 Jul 2014
Posts: 4299
|
| Posted: Mon Feb 21, 2022 1:20 pm Post subject: |
|
|
| LeFiXER wrote: | | Code: | dealloc(*) // Using * in dealloc/unregistersymbol will deallocate all allocated memory/registered symbols
unregistersymbol(*) // Including those in other scripts |
|
What?
These scripts don't interfere with each other:
| Code: | [ENABLE]
alloc(foo,4096)
registersymbol(foo)
[DISABLE]
dealloc(*)
unregistersymbol(*) |
| Code: | [ENABLE]
alloc(bar,4096)
registersymbol(bar)
[DISABLE]
dealloc(*)
unregistersymbol(*) |
xball script looks ok, but I'd use globalalloc for xball:
| Code: | define(address,"Peggle.exe"+673E7)
define(bytes,D9 87 EC 00 00 00)
[ENABLE]
assert(address,bytes)
alloc(newmem,$1000)
globalalloc(xball,4)
xball:
dd 0
newmem:
mov [xball], edi
fld dword ptr [edi+000000EC]
jmp return
address:
jmp newmem
nop
return:
[DISABLE]
address:
db bytes
dealloc(*) |
This way, the other script won't have to worry about what happens if xball gets deallocated.
bucket position and calculations could use some work.
First of all, what's with the cmp instruction? The code under the bucket label gets executed regardless, so I don't understand why it's even there. If 2 is used for the bucket, shouldn't you compare it against 2 and skip everything if it's not 2?
I guess esi+4C is the actual address of the bucket's x position since 4C is the offset used in the Lua code. If so, the comment "eax is the increasing value for the bucket" might not apply where it is since the instruction `mov eax,[esi+4C]` hasn't been executed yet. You're also storing the value instead of the address.
Maybe something like this:
| Code: | define(address,"Peggle.exe"+79A8C)
define(bytes,8B 46 4C 51 D9 1C 24)
[ENABLE]
assert(address,bytes)
alloc(newmem,$1000)
label(originalcode)
label(minBall)
label(minBuck)
label(ratio)
label(return)
newmem+800:
minBall:
dd (float)5.5
minBuck:
dd (float)150.0
// maxBall = 643.3, maxBuck = 450.0
// ratio = (maxBall - minBall) / (maxBuck - minBuck)
ratio:
dd (float)2.126
newmem:
cmp [esi+10],2
jne originalcode
// bucket
mov eax,[xball]
test eax,eax // if xball is null (hasn't been initialized yet)
jz originalcode
movss xmm0,[eax+EC]
subss xmm0,[minBall]
divss xmm0,[ratio]
addss xmm0,[minBuck]
cvttss2si eax,xmm0
mov [esi+4C],eax
originalcode:
mov eax,[esi+4C]
push ecx
fstp dword ptr [esp]
jmp return
address:
jmp newmem
nop 2
return:
[DISABLE]
address:
db bytes
dealloc(*) |
Even still, you're just performing a linear interpretation between the extremes of both objects. If the bucket moves along a sinusoid it might not be good enough.
{$ccode} was a recent addition you might be able to use. The sin function should be available.
https://forum.cheatengine.org/viewtopic.php?t=618134
I can't play around with it right now to figure out how it works.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
LeFiXER
Grandmaster Cheater Supreme
![]() Reputation: 20
Joined: 02 Sep 2011
Posts: 1055
Location: 0x90
|
| Posted: Mon Feb 21, 2022 1:59 pm Post subject: |
|
|
| ParkourPenguin wrote: |
...
|
Ah, it must have been something else that caused my issue of memory being deallocated and symbols being unregistered at that time which led me to believe it was the cause of
| Code: |
dealloc(*)
unregistersymbol(*)
|
Good to know it wasn't that. I have been avoiding using it since because of that. From now on that will save me some time, thanks for clearing that up and apologies for the misinformation.
|
|
| Back to top |
|
|
mrhartsclube
Newbie cheater
![]() Reputation: 0
Joined: 03 Feb 2013
Posts: 15
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
) and thanks for helps 